What is this GDPR and how does it affect my business?

You may have recently received information about the GDPR, the General Data Protection Regulation. The GDPR is a new European Union regulation designed to significantly enhance the protection of EU citizen data privacy. The GDPR will employ discrete regulations for all organizations and businesses who collect or process personal data. The deadline for compliance is this Friday, May 25, so read below to see what you need to do!

Who will this affect?

While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider and will apply to non-EU businesses who:

Market their products to people in the EU

Monitor the behavior of people in the EU

In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.

The GDPR regulations encompass all forms of personal data that your business collects, which may include:

Name

Photo

An email address

An IP address

Bank details

Financial information

Posts on social media sites

A tracking cookie

Any data you associate with that person, such as previous purchasing or website history

Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

Roles

There are four types of roles any given person or business will fall into under GDPR:

The data subject is the EU citizen whose personal data can be collected, stored, and/or processed by other entities.

The data collector is the entity which the data subject is transacting with and therefore trusting their personal data to. As a merchant, you are considered a data collector (this may be your business!)

The data processor is any company that is storing and/or processing the data on behalf of the data collector. Your e-commerce platform is a data processor.

A third party data processor or “subprocessor” is any company performing additional processing after personal data is transferred to it from a data processor. The host of your services: Amazon Web Services (AWS) to host our software. In this case, AWS can be considered a third party data processor.

It is important to understand that as a data controller under GDPR, it is imperative that you protect the personal data of your customers. It is your responsibility to ensure that any company you are doing business with processes the data of your EU customers in a manner that is compliant with GDPR. Data collection occurs in all types of platforms including but not limited to: e-commerce, Klaviyo, forms providers, certain analytics softwares and loyalty platform providers. Most things in your marketing technology stack will likely fall into the role of a data processor.

Advertising

Email Marketing

Individuals must be given the option to opt-in and out of emails

Email consent must be separate from Terms & Conditions and privacy notices

It must be easy for individuals to unsubscribe–discrete directions on how to unsubscribe must be provided

Keep detailed records of consent: who, when, how etc.

Consistently ensure contact lists are up to date

MailChimp: enable GDPR fields in settings (links below with how to do this)

On Your Website

Google Adwords: consent is required for use of cookies and the collection and sharing of all personal data

Google Business: check all aspects of websites to ensure no personal data is being collected and update your privacy policy. Additionally, institute an easy to access opt-in opt-out function on the website (we currently have one on this site, for example)

Social Media

Facebook, Linkedin, Twitter, Instagram, Snapchat have all updated their compliance under GDPR regulations